[1984] in Kerberos_V5_Development
Re: krb5-libs/207: KDB keytab type multiply defined and wrong
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Wed Nov 20 13:31:37 1996
Date: Wed, 20 Nov 1996 18:31:17 GMT
From: "Barry Jaspan" <bjaspan@MIT.EDU>
To: bjaspan@MIT.EDU
Cc: krb5-bugs@MIT.EDU, krbdev@MIT.EDU, proven@proven.org
In-Reply-To: bjaspan@MIT.EDU's message of Tue, 19 Nov 1996 22:04:44 GMT
<199611192204.WAA19560@beeblebrox.MIT.EDU>
Having little else to do at the moment, I decided to try to get the
KDB keytab stuff working. The patches were not that complicated, but
it turns out that they cannot work for a deeper reason. The problem
is that kadmind is a GSS-API application. The GSS-API uses its own
krb5_context for talking to the krb5 libraries, instead of using a
context inherited from kadmind proper. kadmind's context has the
master key in it, but GSS-API's does not. The KDB keytab code
requires the master key, but is called by GSS-API, so the master key
is not available. Mission fails.
The only decent way to solve this is to figure out the correct way to
interface mechanism-specific information with the GSS-API. This is
not going to happen in the near future.
I will now argue that the KDB keytab code should be removed from the
tree:
1. kadmind, and perhaps the KDC, are the only two processes that can
realistically use a KDB keytab.
2. kadmind already uses a file-based keytab for
kadmin/{admin,changepw} and it works fine. There is no reason to add
extra code to reimplement working functionality. Furthermore, as
discussed above, there is no simple way to make kadmind use the KDB
keytab anyway.
3. The KDC, too, is already written. If it is changed, it should be
changed to use the kadm5 api, which is designed for accessing the
entire KDB, not the keytab api.
4. Thus, neither program that might sensibly use a KDB keytab will
ever do so. The idea falls into the category of "interesting, but
ultimately not useful." Furthermore, the code does not already work,
and nothing is using it, so it is not worth the effort to fix it.
Comments?
Barry
